Reading a signed_request from Facebook when the user uninstalls your app.

deauthorize.js

//receive a POST request to your node.js app
router.post('/deauthorize', function (req, res) {
  if(req.body.signed_request){
    var app_secret = 'your_app_secret';
    var data = req.body.signed_request.split('.');
    if(data.length > 1){
      //docs - https://developers.facebook.com/docs/games/gamesonfacebook/login#parsingsr
      var signature = (new Buffer(data[0], 'base64')).toString();
      var json = (new Buffer(data[1], 'base64')).toString();

      var expected_sig = (new Buffer(CryptoJS.HmacSHA256(data[1], app_secret).toString(CryptoJS.enc.Base64), 'base64')).toString();
      //signature == payload (base64), signed with app_secret
      //compare signature with expected_sig to validate de data
      if(signature == expected_sig) {
        var json = JSON.parse(json);
        //do something with your data :)
      } else {
        console.log('BAD SIGNED JSON /DEAUTHORIZE');
      }
    } else {
      console.log('INVALID JSON RESPONSE FROM FB /DEAUTHORIZE');
    }
  }
  //SEND STATUS 200 TO FB
  res.status(200).send('done');
});